diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-18 10:32:20 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-20 16:58:00 +0100 |
| commit | 05d899fc83317da0dfe3395dd98489651b5783bc (patch) | |
| tree | 756f8f403d47c787a3d6999c47b9b93697e00ed7 | |
| parent | 7bfbb655a8fff6783d0d8752420f4cc827cf5011 (diff) | |
| download | gnutls-05d899fc83317da0dfe3395dd98489651b5783bc.tar.gz | |
cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK
This allows reverting the new semantics of checking the OCSP response
loaded against the certificates present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 5 | ||||
| -rw-r--r-- | lib/ocsp-api.c | 16 |
2 files changed, 20 insertions, 1 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 9f76ab9cc0..7a46450552 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1764,12 +1764,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res); * gnutls_certificate_flags: * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check. * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero. + * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file + * function, will not check whether the response set matches any of the certificates. * * Enumeration of different certificate credentials flags. */ typedef enum gnutls_certificate_flags { GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1, - GNUTLS_CERTIFICATE_API_V2 = (1<<1) + GNUTLS_CERTIFICATE_API_V2 = (1<<1), + GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2) } gnutls_certificate_flags; void gnutls_certificate_set_flags(gnutls_certificate_credentials_t, diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c index 3c2e77ff55..efcf60339c 100644 --- a/lib/ocsp-api.c +++ b/lib/ocsp-api.c @@ -357,6 +357,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert * when multiple responses which apply to the chain are available. * If the response provided does not match any certificates present * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. + * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK + * in the certificate credentials structure. In that case, only the + * end-certificates OCSP response can be set. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. @@ -376,6 +379,19 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t if (idx >= sc->ncerts) return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) { + /* quick load of first response */ + gnutls_free(sc->certs[idx].ocsp_response_files[0]); + + sc->certs[idx].ocsp_response_files[0] = gnutls_strdup(response_file); + if (sc->certs[idx].ocsp_response_files[0] == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + return gnutls_certificate_set_ocsp_status_request_function3( + sc, idx, file_ocsp_func, + &sc->certs[idx], 0); + } + ret = gnutls_load_file(response_file, &der); if (ret < 0) return gnutls_assert_val(GNUTLS_E_FILE_ERROR); |